Bug 1568510 - SELinux is preventing dovecot from using the dac_override capability
Summary: SELinux is preventing dovecot from using the dac_override capability
Status: CLOSED DUPLICATE of bug 1560704
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-17 16:18 UTC by Juan Orti
Modified: 2018-05-03 18:09 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-03 18:09:44 UTC
Type: Bug

Attachments (Terms of Use)

Description Juan Orti 2018-04-17 16:18:37 UTC
SELinux is preventing dovecot from using the dac_override capability.                                                                                                                                              
*****  Plugin dac_override (91.4 confidence) suggests   **********************                                                                                                                                     
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system 
Then turn on full auditing to get path information about the offending file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that dovecot should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
# semodule -X 300 -i my-dovecot.pp

Additional Information:
Source Context                system_u:system_r:dovecot_t:s0
Target Context                system_u:system_r:dovecot_t:s0
Target Objects                Unknown [ capability ]
Source                        dovecot
Source Path                   dovecot
Port                          <Unknown>
Host                          helio
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     helio
Platform                      Linux helio 4.16.2-300.fc28.x86_64 #1 SMP Thu Apr
                              12 14:58:07 UTC 2018 x86_64 x86_64
Alert Count                   3
First Seen                    2018-04-17 17:47:12 CEST
Last Seen                     2018-04-17 18:16:56 CEST
Local ID                      3c73d1fc-add0-45db-b118-d38a8c099ca6

Raw Audit Messages
type=AVC msg=audit(1523981816.916:603): avc:  denied  { dac_override } for  pid=3879 comm="dovecot" capability=1  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0

Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override

Comment 1 Enrique Meléndez 2018-05-03 06:10:32 UTC
Same here, on a system just upgraded to Fedora 28 from F27 with no issues previously.

Dovecot would refuse to startup, complaining about existing sockets in /var/run/dovecot. Those sockets are owned by dovecot or root and are in group root or dovenull. Sockets in /var/run/dovecot/login are owned by root or dovenull and are in group root. In addition, I have

drwxr-xr-x. 5 root dovecot 780 May  3 08:01 /var/run/dovecot

I guess some of the permissions/ownership are not correct, but I need dovecot, so I did

# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
# semodule -X 300 -i my-dovecot.pp

to bring dovecot back to life. A better solution is appreciated.

Comment 2 Mads Kiilerich 2018-05-03 12:05:04 UTC
For me, after upgrading to f28 and purging /var/run/dovecot and restorecon, it works. But I still get the SE warning reported here.

Comment 3 Lukas Vrabec 2018-05-03 18:09:44 UTC

*** This bug has been marked as a duplicate of bug 1560704 ***

Note You need to log in before you can comment on or make changes to this bug.